b'Date       : January 30, 2012\nReply to\nAttn of    : Office of Inspector General (OIG)\n\nSubject    : Advisory Report No. 12-04, Inadequate Contingency Planning Continues to be a\n             Significant Risk for the Electronic Records Archives System\n\nTo         : David S. Ferriero, Archivist of the United States\n\n\nThe purpose of this Advisory Report is to inform you of a situation that could adversely impact\nthe National Archives and Records Administration\xe2\x80\x99s (NARA\xe2\x80\x99s) ability to meet its mission should\nthe Electronic Records Archives (ERA) System\xe2\x80\x99s primary site be unavailable for an extended\ntime period. As part of our effort, to provide audit coverage to NARA\xe2\x80\x99s ERA program, we\nfollowed up on the status of two issues: 1) system backups and 2) an alternative backup site,\nwhich we previously reported on in Advisory Report No. 10-11 entitled, \xe2\x80\x9cInadequate\nContingency Planning for the Electronic Records Archives System\xe2\x80\x9d dated April 29, 2010. We\nfound these issues have not been adequately addressed: (1) it is still unknown if the ERA\nSystem (in its entirety) can be successfully restored from backup tapes and (2) there is not an\nalternative backup site.\n\nThe ERA System represents the largest information technology project ever undertaken by\nNARA. The ERA System is being developed to fulfill NARA\xe2\x80\x99s mission in the digital age: to\nsafeguard and preserve the records of our government, ensure that the people can discover, use,\nand learn from this documentary heritage, and ensure continuing access to the essential\ndocumentation of the rights of American citizens and the actions of their government. In\naddition, the use of ERA will be mandatory for all Federal agencies in 2012. Without adequate\ncontingency planning, ERA officials continue to lack assurance the ERA System can be\nsuccessfully restored at an alternative location should its primary site be unavailable. Such a\nsignificant risk severely limits the reliability of the system.\n\nInformation technology (IT) systems are vulnerable to a variety of disruptions, ranging from\nmild (e.g., short-term power outage, disk drive failure) to severe (e.g., equipment destruction,\nfire) from a variety of sources such as natural disasters to terrorists actions. Contingency\nplanning refers to interim measures to recover IT services following an emergency or system\n\x0cdisruption. Interim measures may include the relocation of IT systems and operations to an\nalternative site, the recovery of IT functions using alternative equipment, or the performance of\nIT functions using manual methods.\n\nThe National Institute of Standards and Technology Special Publication 800-34 entitled\n\xe2\x80\x9cContingency Planning Guide for Federal Information Systems\xe2\x80\x9d Revision 1 dated May 2010\nstates that backup and recovery methods and strategies are a means to restore system operations\nquickly and effectively following a service disruption. Although major disruptions with long-\nterm effects may be rare, they should be accounted for in the contingency plan. The Federal\nInformation Processing Standards Publication (FIPS PUB) 199, \xe2\x80\x9cStandards for Security\nCategorization of Federal Information and Information Systems\xe2\x80\x9d is used to rank as High,\nModerate, or Low a system\xe2\x80\x99s: Confidentiality, Integrity, and Availability. FIPS Categorization\nis determined by the adverse effect that a security event could have on the system, and how it\nimpacts the confidentiality, integrity, and availability, of the system. The ERA System\xe2\x80\x99s FIPS\nCategorization for Availability is Moderate which means that a prolonged discontinuance of\nservice would result in an impact to mission requirements. The FIPS 199 Recovery Strategy for\na system with an impact level of Moderate for Availability is to have a Cold or Warm Backup\nsite. 1 Thus, the contingency plan for all FIPS 199 moderate or high impact systems should\ninclude a strategy to recover and perform system operations at an alternate facility for an\nextended period.\n\nBackups\n\nThe current method of protecting the ERA System from a disaster is done by the storage of\nbackup tapes at Archives II in College Park, MD. Incremental backups of data are done daily at\nthe ERA System\xe2\x80\x99s primary location, the Allegany Ballistics Lab (ABL) in Rocket Center, West\nVirginia. Our concern, has been, and continues to be the ERA System, in its entirety, has still\nnot been restored from backup tapes. Without adequate testing, it is still unknown if the ERA\nSystem can be restored in a timely manner from backup tapes. An ERA official acknowledged\nthat although restoration from tape for the ERA System has not been demonstrated in its entirety,\nrestoration of selected subsets of ERA business objects and records has been successfully\naccomplished. However, restoration of selected subsets of the ERA System does not provide us\nwith an adequate level of confidence that the system, in its entirety, could be successfully\nrestored in a timely manner should a disaster occur.\n\nAdditionally, in our April 2010 report we noted that of particular concern to ERA officials was\nthe restoration of the Executive Office of the President (EOP) data archive from tape. The EOP\ndata archive is mirrored to an onsite replicated archive. Program officials felt the EOP data\ncould be recovered from the replica, but had serious concerns about the ability to restore the EOP\n1\n Cold sites are typically facilities with adequate space and infrastructure (electric power, telecommunications\nconnections, and environmental controls) to support information system recovery activities. Warm sites are partially\nequipped office spaces that contain some or all of the systems hardware, software, telecommunications and power\nsources.\n                                                         2\n\x0cdata archive from tape if the replica was not available. An ERA official indicated to us that it\nstill has not been demonstrated the EOP data archive can be successfully restored from tape.\nFurther, due to a software upgrade, the EOP production system and the replica were out of sync\nfor about six months. A project has been initiated to upgrade EOP\xe2\x80\x99s Hitachi Content Platform\ninfrastructure which introduces fail over capabilities between the production and replica\narchives. ERA management feels this will eventually allow them to position the EOP replica at\nan alternative operations site. We suggest the ERA Program Office conduct adequate testing to\ndetermine if the ERA System (in its entirety) can successfully be restored from backup tapes in a\ntimely manner.\n\nAlternative Backup Site\n\nCurrently, there is no alternative ERA backup site or an official Disaster Recovery Plan for the\nERA System. In the event of a disaster that renders the current ERA production data center (i.e.,\nABL) unusable, NARA does not have an alternative processing site to continue ERA operations.\nNARA would need to acquire the funding to purchase replacement hardware, obtain data center\nspace to house the new equipment and have the offsite tapes sent to the new location to begin\nrestoration of the system. The ERA Contingency Plan dated August 9, 2011 states under a major\nsystem failure; an alternative processing site is utilized. The plan also states detailed information\non the roles and responsibilities, support structure, line of succession, and procedures for a major\nsystem failure are documented in Contract Data Requirements List (CDRL) number 88 (Disaster\nRecovery Plan). However, CDRL number 88 was removed as a deliverable from the\ndevelopment contract in June 2011. A senior ERA Program Official stated that instead of a\nbackup site, we are storing backup disks at Archives II. Although we agree that backing the\nsystem up and storing the tapes offsite is an important and necessary control for disaster\nrecovery, we do not think it should be in lieu of an alternative backup site. The ERA System\xe2\x80\x99s\nFIPS Categorization for Availability is Moderate which means that a prolonged discontinuance\nof service would result in an impact to mission requirements. The FIPS 199 Recovery Strategy\nfor a system with an impact level of Moderate for Availability is to have a Cold or Warm Backup\nsite.\n\nThe Memorandum of Understanding (MOU) between NARA and Naval Sea Systems Command\nfor space at the ABL states that either party may terminate the MOU by providing written notice,\nand the disposition of property and transition of personnel must be completed within 365 days.\nWhen an ERA official was asked if the Navy decided to terminate the MOU, could the ERA\nSystem be relocated to a new location and brought up within a year, she responded it has been\nestimated that the project to locate and acquire alternative space, provision the new space, fit-up\nand validate the new environment, and decommission the existing environment could be\nsuccessfully completed within 365 days. However, she noted this timeline would be contingent\nupon several external factors including the acquisition lifecycle and the availability of funding\nfor the work. Without adequate planning, and under the current budget environment, it may be\nvery difficult to accomplish this type of move within the time constraints of the MOU, should the\nNavy decide to terminate this agreement.\n                                                 3\n\x0cThe ERA System Security Plan states no alternative processing site has been implemented. The\ncurrent ERA BIA and ERA Contingency Plan both address a primary site unavailability scenario\nby utilizing the existing NARA legacy applications: Archival Preservation System (APS),\nAccessions Management Information System (AMIS), and the Archival Electronic Records\nInspection and Control System (AERIC). In the event of unavailability of the ERA System at\nRocket Center, these plans call for customers to continue their business functions by using these\nlegacy systems which are currently in place at Archives II, and which are running parallel\noperations. However, ERA\xe2\x80\x99s Business Case Analysis identified these three legacy systems, as\nwell as the Access to Archival Databases System, as four systems that will be replaced by ERA\nbecause, individually and collectively, they are not adequate to NARA\xe2\x80\x99s mission needs, their\ndesigns cannot be accommodated into the NARA Target Architecture, and/or they automate\ncertain processes that will no longer be necessary.\n\nThe Security Plan also states there is no alternative processing site in place and NARA accepts\nthe risk. When asked what the basis for making this statement was, a senior ERA official stated\nthis weakness has been identified in a Plan of Action and Milestones (POA&M). The planned\ncorrective action in the POA&M is for NARA to designate and procure alternative operating\nfacilities as part of their Continuity of Operations Plan (COOP) in support of the ERA System.\nHowever, this POA&M has been closed without implementing the corrective action. A\ncomment field in the POA&M states to record (this weakness) as a risk within the System\nSecurity Plan without implementation. An ERA Official commented the risk is not \xe2\x80\x9cAccepted\xe2\x80\x9d\nby NARA and that it is an active risk documented in the Systems Security Plan. This official\nwent on to say the ERA Program is not building a duplicate ERA site, so the only alternative for\nsecurity is to document how ERA would operate if the ABL site was lost. In our opinion, the\nreliance on legacy systems is not an adequate control and does not comply with FIPS for a\nsystem that is critical to NARA\xe2\x80\x99s mission and that will be mandatory for use by all Federal\nagencies next year. We suggest the ERA Program Office conduct an analysis of risks and\nalternatives to determine the level of risk management is willing to accept and the most cost\neffective alternative to meeting NARA\xe2\x80\x99s mission if the ABL was unavailable for an extended\ntime period.\n\nOur review effort consisted primarily of reviewing applicable ERA documentation such as the\nERA Core Infrastructure System Security Plan, ERA Contingency Plan, ERA Continuity of\nOperations Plan, ERA Business Case Analysis, and the ERA Business Impact Analysis; and\ninterviews with responsible ERA Program Office officials.\n\nAs with all OIG products, we will determine what information is publically posted on our\nwebsite from this report. Should you or management have any redaction suggestions based\non FOIA exemptions, please submit them to my counsel within one week from the date of\nthis letter. Should we receive no response from you or management by this timeframe, we\nwill interpret that as confirmation NARA does not desire any redactions to the posted report.\n\n                                                4\n\n\x0c Should you have any questions concerning the information presented in this Advisory Report, or\nthere are other areas ofthe ERA Program that you would like for us to review, please do not\nhesitate to contact me or James Springs, Assistant Inspector General for Audits at (301) 837\xc2\xad\n3000.\n                                 (\n\ncc: Michael Wash, Chief Information Officer\n\n\n\n\n                                              5\n\n\x0c'